P2P-Worm.Win32.Palevo.cjkl Analysis

English name: P2P-Worm.Win32.Palevo.cjkl
Virus length: 100,779,160 bytes
Virus Type: Worm
Hazard level:★★★
Affected platform: 2008 win7 and vista XP
MD5 verification: 70f012b8b2ec6b8b39f7c67be6d4d1a7

It is written in advanced languages and processed by programs to escape anti-virus software and heuristic methods. To replace the system file with the same name to enable automatic startup. Traverse the "tar", "cab", "tgz", "zip", and "rar" files on the disk and insert itself into these types of compressed files. Connects to the specified URL, downloads a large number of malicious programs, and calls them for operation, resulting in more attacks to system users. To activate the trojan after double-clicking the drive letter. ". A scheduled task is created to run automatically. This virus program only runs in 2008, win7, xp, and vista systems.

1. When the sysedit.exe file is exited in the system, the system is not 2008、win7、xpand vista.
. Text: 0040FC5F; 91: if (VersionInformation. dwMajorVersion! = 6)
. Text: 0040FC5F mov edi, wsprintfA
. Text: 0040FC65 cmp [esp + 14D18h + VersionInformation. dwMajorVersion], 6
. Text: 0040FC6D jz short loc_40FCB6
. Text: 0040FC6F; 93: GetWindowsDirectoryA (& Buffer, 0x3E7u );
. Text: 0040FC6F lea edx, [esp + 14D18h + Buffer]
. Text: 0040FC76 push 3E7h; uSize
. Text: 0040FC7B push edx; lpBuffer
. Text: 0040FC7C call ds: GetWindowsDirectoryA
. Text: 0040FC82; 94: wsprintfA (& FileName, "% s \ SysTEM32 \ sysedit.exe", & Buffer );

2. Release files:
C: WINDOWSBall.exe
C: WINDOWSTEMPsvchost. dll
C: WINDOWSTEMPsvchost.exe
C: Documents and SettingsAll Users Start Menu \ Program start \ Ball.exe
Note: auto-start
C: WINDOWSTasks registration component. bat
C: Program FilesTencentQQBinQQ.exe
Note: replace the original qq.exe file with qqqq.exe.
C: WINDOWSsystem32ctfmon.exe
Note: replace the original ctfmon.exe file with ctfmon1.exe.
Add System Service:
SYSTEMCurrentControlSetServicesBall

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ ctfmon.exe"
"Ball" = "C: \ WINDOWS \ Ball.exe"
3. After finding the .rar,.zip,.tgz,.cab,.tar file with all the shards
Run the "(winrar path)"-ep a "(rar and other file paths found)" % systemroot % Tasks registration component. bat command in the background by calling winrar.
Compress the registration component. bat into the compressed package. The registration component. bat is the virus itself, which induces users to click "poison.

4. Disable Intemet Connection Sharing and firewall services by running the "net stop sharedaccess" command.

5. autorun. inf file content
OPEN =
Recycle.109645ff040-5081-101b-9f08-00aa002f954e1_ghostbak.exe
Shellopen = open (& O)
ShellopenCommand =
Recycle.109645ff040-5081-101b-9f08-00aa002f954e1_ghostbak.exe
ShellopenDefault = 1
Shellexplore = Resource Manager (& X)
ShellexploreCommand =
Recycle.109645ff040-5081-101b-9f08-00aa002f954e1_ghostbak.exe
Recycle. {645FF040-5081-101B-9F08-00AA002F954E}
Ghostbak ..//
GHOSTBAK.exe
Task registration component. bat

5. Check whether the following process name or program window exists and disable the process.
00406383 push 0042AC7C ASCII "360tray.exe"
00406388 mov ebx, 0042AC6C ASCII "KSafeTray.exe"
004063A1 push 0042AC60 ASCII "360sd.exe"
004063B2 push 0042AC58 ASCII "360 series"
004063BD push 0042AC58 ASCII "360 series"
004063DB push 0042AC4C ASCII "avp.exe"
0040640A push 0042AC38 ASCII "KvMonXP.exe"
00406439 push 0042AC24 ASCII "RavMonD.exe"
0040644A push 0042AC1C ASCII "Rising"
00406468 push 0042AC10 ASCII "egui.exe"
00406479 push 0042AC08 ASCII "NOD32"
00406497 push 0042 abfc ascii "kxetray.exe"
004064C6 push 0042AC6C ASCII "KSafeTray.exe"
00406503 push 0042 abdc ascii "QQ Butler"

6. Use the password table to spread viruses to users in the local network.
0040E7F6 mov eax, 0042B86C ASCII "test"
0040E804 mov edx, 0042B864 ASCII "admin"
0040E809 mov ecx, 0042B85C ASCI